diff --git a/.gitea/workflows/pr-security-check.yml b/.gitea/workflows/pr-security-check.yml
index 1f5353e..bdd44ea 100644
--- a/.gitea/workflows/pr-security-check.yml
+++ b/.gitea/workflows/pr-security-check.yml
@@ -33,7 +33,11 @@ jobs:
           mv gitleaks /usr/local/bin/gitleaks
 
       - name: Run secret scan
-        run: gitleaks detect --source . --exit-code 1 --redact --verbose --log-level debug
+        # Scan only the commits this PR introduces (base..head), not the whole history.
+        run: |
+          gitleaks detect --source . \
+            --log-opts="${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }}" \
+            --exit-code 1 --redact --verbose --log-level debug
 
   # ── 2. CVE scan ───────────────────────────────────────────────────────────────
   trivy: